aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2018-06-11 12:02:41 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2018-06-11 12:02:44 +0000
commit96018bf2841ac59b632f6d84ad6247b5b825dc3a (patch)
treee69e694f2680521c7ab12facb805bba25546b692
parent770d5dd56f9cec7d85d5e51c19fa43a82c287db3 (diff)
downloadaports-96018bf2841ac59b632f6d84ad6247b5b825dc3a.tar.bz2
aports-96018bf2841ac59b632f6d84ad6247b5b825dc3a.tar.xz
main/xen: security fixes
-rw-r--r--main/xen/APKBUILD36
-rw-r--r--main/xen/xsa258-4.6.patch123
-rw-r--r--main/xen/xsa259-4.6.patch30
-rw-r--r--main/xen/xsa260-1.patch71
-rw-r--r--main/xen/xsa260-2.patch110
-rw-r--r--main/xen/xsa260-3.patch138
-rw-r--r--main/xen/xsa260-4.patch72
7 files changed, 577 insertions, 3 deletions
diff --git a/main/xen/APKBUILD b/main/xen/APKBUILD
index f4f2d2760c..d21dfafd31 100644
--- a/main/xen/APKBUILD
+++ b/main/xen/APKBUILD
@@ -4,7 +4,7 @@
# Maintainer: William Pitcock <nenolod@dereferenced.org>
pkgname=xen
pkgver=4.6.6
-pkgrel=4
+pkgrel=5
pkgdesc="Xen hypervisor"
url="http://www.xen.org/"
arch="x86_64"
@@ -91,8 +91,14 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-hypervisor"
# - CVE-2017-17564 XSA-250
# - CVE-2017-17565 XSA-251
# 4.6.3-r4:
-# - CVE-2018-7540, XSA-252
-# - CVE-2018-7541, XSA-255
+# - CVE-2018-7540 XSA-252
+# - CVE-2018-7541 XSA-255
+# 4.6.6-r5:
+# - CVE-2018-10472 XSA-258
+# - CVE-2018-10471 XSA-259
+# - CVE-2018-8897 XSA-260
+# - CVE-2018-10982 XSA-261
+# - CVE-2018-10981 XSA-262
# grep _VERSION= stubdom/configure
_ZLIB_VERSION="1.2.3"
@@ -155,6 +161,12 @@ source="https://downloads.xenproject.org/release/xen/$pkgver/$pkgname-$pkgver.ta
xsa252-4.6.patch
xsa255-4.6-1.patch
xsa255-4.6-2.patch
+ xsa258-4.6.patch
+ xsa259-4.6.patch
+ xsa260-1.patch
+ xsa260-2.patch
+ xsa260-3.patch
+ xsa260-4.patch
xenstore_client_transaction_fix.patch
qemu-coroutine-gthread.patch
@@ -387,6 +399,12 @@ bf2dee471f8b9d235005f62f8db581c1 xsa249.patch
ac62001428e32ca965850eb1a6b1fe61 xsa252-4.6.patch
c9e31b5a50d4fa11564a837dce3086ff xsa255-4.6-1.patch
3ad014bba5878afe4687219cb3bebdf4 xsa255-4.6-2.patch
+22fdf46ee4dd801783d5335fa5c9ee48 xsa258-4.6.patch
+81cab1e77eb0a00825e060d11a692f2f xsa259-4.6.patch
+f3d29778c33614bf7cc6dbbda7e3a723 xsa260-1.patch
+7d0d1c84ecf1385bac1a1ef2fd23fd57 xsa260-2.patch
+6923b925a488615dab1fb32947bf5ce2 xsa260-3.patch
+65185ee7a2eb6ae80955bc0a838c7e16 xsa260-4.patch
b05500e9fdcec5a076ab8817fc313ac3 xenstore_client_transaction_fix.patch
de1a3db370b87cfb0bddb51796b50315 qemu-coroutine-gthread.patch
08bfdf8caff5d631f53660bf3fd4edaf qemu-xen_paths.patch
@@ -455,6 +473,12 @@ f8cecf013a3628038e0a4566778852a560b25a1ce2f3872a989087ab2fc9a913 xsa251-4.8.pat
b7ba005fa62ace07f4880cc79824968c24ead3182245e4ed3a6e22cf8d2d7c05 xsa252-4.6.patch
be62d81583df10a6be275427d5cfa02084c8717473b3694cd2a9bbdc10cbadcb xsa255-4.6-1.patch
3dd58114c5ce68fd8dd43f8f92eaafdcec1fd9add37eb41faed1cf818058539a xsa255-4.6-2.patch
+2c58060a42dafbf65563941dd8c737732124b49eb47007cc60f647553227f557 xsa258-4.6.patch
+c40bc8802077cf73f8393fb50574b7c7efbc4d127e202b0ebd757d34aa07aac3 xsa259-4.6.patch
+2c5ce2851351a40df9ed17fae3c6f7505dcda60209945321b545b6b6e4f065cb xsa260-1.patch
+bfa2eb161f570b0295464ef41fc5add52e10853a1ec81de107f1a9deb945982f xsa260-2.patch
+2f30c4fbebeb77da50caff62a0f28d3afe8993bee19233543170f1955cebdcbc xsa260-3.patch
+363af89377d5819ad1450c8806824707d3e15700c179129aed62128e62ab1a0e xsa260-4.patch
c9691bd43a87a939d9a883279813c405eb5ac428a4f4f89e8eef01fbb4d2d6d1 xenstore_client_transaction_fix.patch
3941f99b49c7e8dafc9fae8aad2136a14c6d84533cd542cc5f1040a41ef7c6fe qemu-coroutine-gthread.patch
e4e5e838e259a3116978aabbcebc1865a895179a7fcbf4bad195c83e9b4c0f98 qemu-xen_paths.patch
@@ -523,6 +547,12 @@ b3030f09ddb4f9e4a356519c7b74d393e8db085278a1e616788c81d19988699a6efdd8568277c255
a0264d255f9d214a1a3b27fb0a80790084c5e4a5534ae291089d1c9f0c9126623116a6ff4228bd29d20b2834a2997280aabc0a5235410ef996cf59265ca33b3c xsa252-4.6.patch
46ad17fb615de4bcc23e8faa79f7d647d7df1acbc55b46e542662619a35198247ebdd19ee3d77eee9c4571b1309cb0c910e6509453a3e9f2b1e069c09b762f7c xsa255-4.6-1.patch
bae474a1e648dc635c708f63c3b55775d3053ebf051ca2d1dcec98bdca7e5152744011f9545baa426b0251cdefb9121a614b66a9eba2635e14f7fea11bb1d35b xsa255-4.6-2.patch
+b4c338c0cc8abefa272374fb5afbedb0c44f650e5d829a05e7b86389f8583e89981eabdd97567f5adc68b20f69e20b71cfe50c2f9be897fecf7af54a9a40c3bc xsa258-4.6.patch
+dc5fbfcf42627c954f6745a19f0cf5f70cfafc4aba16892c4beef00adcfcc93bc87500cf5a264af4614f84a6e3c55889726cf21a6ff67fb4d58f25c420bab1ad xsa259-4.6.patch
+6a158eb1f249b256259649e9b227bcea4397d352ca441d5e46cfb54492421c9e5cc7c7feb460f570711d03dc6a73f6065ae82a644bb7456493cc5b7b041e44cb xsa260-1.patch
+7a4352b77a01960df73b00bacd86a367d4abf5d94314dd4ef9573d051e0632ed8f2076bda54664fe3f41df78830f15948d0a610228862c5de30d7181b3f79841 xsa260-2.patch
+63890ff4ab73a4afedbafe8d0a92d96fecc45f4d5906878dbc55071557c07f49f794ab50f871e3837a0e2a0dea6dd21b7662ef3e70d2b17c2149ff8ea7ef3483 xsa260-3.patch
+070dfe4cca5959d8021a132c5a5d440298294e73961cc50a7e564b36e1d2a671d4f69647bc05a89e42f865391bd483c9ba3845dc35b87644cb4028a228531193 xsa260-4.patch
69dfa60628ca838678862383528654ecbdf4269cbb5c9cfb6b84d976202a8dea85d711aa65a52fa1b477fb0b30604ca70cf1337192d6fb9388a08bbe7fe56077 xenstore_client_transaction_fix.patch
c3c46f232f0bd9f767b232af7e8ce910a6166b126bd5427bb8dc325aeb2c634b956de3fc225cab5af72649070c8205cc8e1cab7689fc266c204f525086f1a562 qemu-coroutine-gthread.patch
1936ab39a1867957fa640eb81c4070214ca4856a2743ba7e49c0cd017917071a9680d015f002c57fa7b9600dbadd29dcea5887f50e6c133305df2669a7a933f3 qemu-xen_paths.patch
diff --git a/main/xen/xsa258-4.6.patch b/main/xen/xsa258-4.6.patch
new file mode 100644
index 0000000000..776562dfc7
--- /dev/null
+++ b/main/xen/xsa258-4.6.patch
@@ -0,0 +1,123 @@
+From 575bcd86ee0ce6d3082126415d371424fc7b5bdb Mon Sep 17 00:00:00 2001
+From: Anthony PERARD <anthony.perard@citrix.com>
+Date: Thu, 8 Mar 2018 18:16:41 +0000
+Subject: [PATCH] libxl: Specify format of inserted cdrom
+
+Without this extra parameter on the QMP command, QEMU will guess the
+format of the new file.
+
+This is XSA-258.
+
+Reported-by: Anthony PERARD <anthony.perard@citrix.com>
+Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
+Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>
+---
+ tools/libxl/libxl_device.c | 12 ++++++++++++
+ tools/libxl/libxl_dm.c | 20 ++++++--------------
+ tools/libxl/libxl_internal.h | 1 +
+ tools/libxl/libxl_qmp.c | 2 ++
+ 4 files changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/tools/libxl/libxl_device.c b/tools/libxl/libxl_device.c
+index a81baee585..38ee43415f 100644
+--- a/tools/libxl/libxl_device.c
++++ b/tools/libxl/libxl_device.c
+@@ -395,6 +395,18 @@ char *libxl__device_disk_string_of_backend(libxl_disk_backend backend)
+ }
+ }
+
++const char *libxl__qemu_disk_format_string(libxl_disk_format format)
++{
++ switch (format) {
++ case LIBXL_DISK_FORMAT_QCOW: return "qcow";
++ case LIBXL_DISK_FORMAT_QCOW2: return "qcow2";
++ case LIBXL_DISK_FORMAT_VHD: return "vpc";
++ case LIBXL_DISK_FORMAT_RAW: return "raw";
++ case LIBXL_DISK_FORMAT_EMPTY: return NULL;
++ default: return NULL;
++ }
++}
++
+ int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor)
+ {
+ struct stat buf;
+diff --git a/tools/libxl/libxl_dm.c b/tools/libxl/libxl_dm.c
+index 0db5f13553..f238a8e4b2 100644
+--- a/tools/libxl/libxl_dm.c
++++ b/tools/libxl/libxl_dm.c
+@@ -656,18 +656,6 @@ static int libxl__build_device_model_args_old(libxl__gc *gc,
+ return 0;
+ }
+
+-static const char *qemu_disk_format_string(libxl_disk_format format)
+-{
+- switch (format) {
+- case LIBXL_DISK_FORMAT_QCOW: return "qcow";
+- case LIBXL_DISK_FORMAT_QCOW2: return "qcow2";
+- case LIBXL_DISK_FORMAT_VHD: return "vpc";
+- case LIBXL_DISK_FORMAT_RAW: return "raw";
+- case LIBXL_DISK_FORMAT_EMPTY: return NULL;
+- default: return NULL;
+- }
+-}
+-
+ static char *dm_spice_options(libxl__gc *gc,
+ const libxl_spice_info *spice)
+ {
+@@ -1115,7 +1103,7 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
+ int disk, part;
+ int dev_number =
+ libxl__device_disk_dev_number(disks[i].vdev, &disk, &part);
+- const char *format = qemu_disk_format_string(disks[i].format);
++ const char *format;
+ char *drive;
+ const char *pdev_path;
+
+@@ -1125,6 +1113,11 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
+ continue;
+ }
+
++ if (disks[i].backend == LIBXL_DISK_BACKEND_QDISK)
++ format = libxl__qemu_disk_format_string(disks[i].format);
++ else
++ format = libxl__qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW);
++
+ if (disks[i].is_cdrom) {
+ if (disks[i].format == LIBXL_DISK_FORMAT_EMPTY)
+ drive = libxl__sprintf
+@@ -1153,7 +1146,6 @@ static int libxl__build_device_model_args_new(libxl__gc *gc,
+ }
+
+ if (disks[i].backend == LIBXL_DISK_BACKEND_TAP) {
+- format = qemu_disk_format_string(LIBXL_DISK_FORMAT_RAW);
+ pdev_path = libxl__blktap_devpath(gc, disks[i].pdev_path,
+ disks[i].format);
+ } else {
+diff --git a/tools/libxl/libxl_internal.h b/tools/libxl/libxl_internal.h
+index a3597da22a..2e824f6249 100644
+--- a/tools/libxl/libxl_internal.h
++++ b/tools/libxl/libxl_internal.h
+@@ -1136,6 +1136,7 @@ _hidden int libxl__domain_pvcontrol_write(libxl__gc *gc, xs_transaction_t t,
+ /* from xl_device */
+ _hidden char *libxl__device_disk_string_of_backend(libxl_disk_backend backend);
+ _hidden char *libxl__device_disk_string_of_format(libxl_disk_format format);
++_hidden const char *libxl__qemu_disk_format_string(libxl_disk_format format);
+ _hidden int libxl__device_disk_set_backend(libxl__gc*, libxl_device_disk*);
+
+ _hidden int libxl__device_physdisk_major_minor(const char *physpath, int *major, int *minor);
+diff --git a/tools/libxl/libxl_qmp.c b/tools/libxl/libxl_qmp.c
+index f798de74c5..3d52b87072 100644
+--- a/tools/libxl/libxl_qmp.c
++++ b/tools/libxl/libxl_qmp.c
+@@ -955,6 +955,8 @@ int libxl__qmp_insert_cdrom(libxl__gc *gc, int domid,
+ return qmp_run_command(gc, domid, "eject", args, NULL, NULL);
+ } else {
+ qmp_parameters_add_string(gc, &args, "target", disk->pdev_path);
++ qmp_parameters_add_string(gc, &args, "arg",
++ libxl__qemu_disk_format_string(disk->format));
+ return qmp_run_command(gc, domid, "change", args, NULL, NULL);
+ }
+ }
+--
+2.16.2
+
diff --git a/main/xen/xsa259-4.6.patch b/main/xen/xsa259-4.6.patch
new file mode 100644
index 0000000000..17ffb0f2ee
--- /dev/null
+++ b/main/xen/xsa259-4.6.patch
@@ -0,0 +1,30 @@
+From: Jan Beulich <jbeulich@suse.com>
+Subject: x86: fix slow int80 path after XPTI additions
+
+For the int80 slow path to jump to handle_exception_saved, %r14 needs to
+be set up suitably for XPTI purposes. This is because of the difference
+in nature between the int80 path (which is synchronous WRT guest
+actions) and the exception path which is potentially asynchronous.
+
+This is XSA-259.
+
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reported-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -442,6 +442,12 @@ int80_slow_path:
+ movl $TRAP_gp_fault,UREGS_entry_vector(%rsp)
+ /* A GPF wouldn't have incremented the instruction pointer. */
+ subq $2,UREGS_rip(%rsp)
++ /*
++ * While we've cleared xen_cr3 above already, normal exception handling
++ * code has logic to restore the original value from %r15. Therefore we
++ * need to set up %r14 here, while %r15 is required to still be zero.
++ */
++ GET_STACK_BASE(%r14)
+ jmp handle_exception_saved
+
+ /* CREATE A BASIC EXCEPTION FRAME ON GUEST OS STACK: */
diff --git a/main/xen/xsa260-1.patch b/main/xen/xsa260-1.patch
new file mode 100644
index 0000000000..ba5c94fc9e
--- /dev/null
+++ b/main/xen/xsa260-1.patch
@@ -0,0 +1,71 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/traps: Fix %dr6 handing in #DB handler
+
+Most bits in %dr6 accumulate, rather than being set directly based on the
+current source of #DB. Have the handler follow the manuals guidance, which
+avoids leaking hypervisor debugging activities into guest context.
+
+This is part of XSA-260 / CVE-2018-8897.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -3667,10 +3667,35 @@ static void ler_enable(void)
+
+ void do_debug(struct cpu_user_regs *regs)
+ {
++ unsigned long dr6;
+ struct vcpu *v = current;
+
++ /* Stash dr6 as early as possible. */
++ dr6 = read_debugreg(6);
++
+ DEBUGGER_trap_entry(TRAP_debug, regs);
+
++ /*
++ * At the time of writing (March 2018), on the subject of %dr6:
++ *
++ * The Intel manual says:
++ * Certain debug exceptions may clear bits 0-3. The remaining contents
++ * of the DR6 register are never cleared by the processor. To avoid
++ * confusion in identifying debug exceptions, debug handlers should
++ * clear the register (except bit 16, which they should set) before
++ * returning to the interrupted task.
++ *
++ * The AMD manual says:
++ * Bits 15:13 of the DR6 register are not cleared by the processor and
++ * must be cleared by software after the contents have been read.
++ *
++ * Some bits are reserved set, some are reserved clear, and some bits
++ * which were previously reserved set are reused and cleared by hardware.
++ * For future compatibility, reset to the default value, which will allow
++ * us to spot any bit being changed by hardware to its non-default value.
++ */
++ write_debugreg(6, X86_DR6_DEFAULT);
++
+ if ( !guest_mode(regs) )
+ {
+ if ( regs->eflags & X86_EFLAGS_TF )
+@@ -3703,7 +3728,8 @@ void do_debug(struct cpu_user_regs *regs
+ }
+
+ /* Save debug status register where guest OS can peek at it */
+- v->arch.debugreg[6] = read_debugreg(6);
++ v->arch.debugreg[6] |= (dr6 & ~X86_DR6_DEFAULT);
++ v->arch.debugreg[6] &= (dr6 | ~X86_DR6_DEFAULT);
+
+ ler_enable();
+ do_guest_trap(TRAP_debug, regs, 0);
+--- a/xen/include/asm-x86/debugreg.h
++++ b/xen/include/asm-x86/debugreg.h
+@@ -24,6 +24,8 @@
+ #define DR_STATUS_RESERVED_ZERO (~0xffffeffful) /* Reserved, read as zero */
+ #define DR_STATUS_RESERVED_ONE 0xffff0ff0ul /* Reserved, read as one */
+
++#define X86_DR6_DEFAULT 0xffff0ff0ul /* Default %dr6 value. */
++
+ /* Now define a bunch of things for manipulating the control register.
+ The top two bytes of the control register consist of 4 fields of 4
+ bits - each field corresponds to one of the four debug registers,
diff --git a/main/xen/xsa260-2.patch b/main/xen/xsa260-2.patch
new file mode 100644
index 0000000000..ed93bd3687
--- /dev/null
+++ b/main/xen/xsa260-2.patch
@@ -0,0 +1,110 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/pv: Move exception injection into {,compat_}test_all_events()
+
+This allows paths to jump straight to {,compat_}test_all_events() and have
+injection of pending exceptions happen automatically, rather than requiring
+all calling paths to handle exceptions themselves.
+
+The normal exception path is simplified as a result, and
+compat_post_handle_exception() is removed entirely.
+
+This is part of XSA-260 / CVE-2018-8897.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/x86_64/compat/entry.S
++++ b/xen/arch/x86/x86_64/compat/entry.S
+@@ -105,6 +105,12 @@ ENTRY(compat_test_all_events)
+ leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx
+ cmpl $0,(%rcx,%rax,1)
+ jne compat_process_softirqs
++
++ /* Inject exception if pending. */
++ lea VCPU_trap_bounce(%rbx), %rdx
++ testb $TBF_EXCEPTION, TRAPBOUNCE_flags(%rdx)
++ jnz .Lcompat_process_trapbounce
++
+ testb $1,VCPU_mce_pending(%rbx)
+ jnz compat_process_mce
+ .Lcompat_test_guest_nmi:
+@@ -134,6 +140,15 @@ compat_process_softirqs:
+ call do_softirq
+ jmp compat_test_all_events
+
++ ALIGN
++/* %rbx: struct vcpu, %rdx: struct trap_bounce */
++.Lcompat_process_trapbounce:
++ sti
++.Lcompat_bounce_exception:
++ call compat_create_bounce_frame
++ movb $0, TRAPBOUNCE_flags(%rdx)
++ jmp compat_test_all_events
++
+ ALIGN
+ /* %rbx: struct vcpu */
+ compat_process_mce:
+@@ -290,15 +305,6 @@ ENTRY(cr4_pv32_restore)
+ xor %eax, %eax
+ ret
+
+-/* %rdx: trap_bounce, %rbx: struct vcpu */
+-ENTRY(compat_post_handle_exception)
+- testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+- jz compat_test_all_events
+-.Lcompat_bounce_exception:
+- call compat_create_bounce_frame
+- movb $0,TRAPBOUNCE_flags(%rdx)
+- jmp compat_test_all_events
+-
+ /* See lstar_enter for entry register state. */
+ ENTRY(cstar_enter)
+ sti
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -270,6 +270,12 @@ test_all_events:
+ leaq irq_stat+IRQSTAT_softirq_pending(%rip),%rcx
+ cmpl $0,(%rcx,%rax,1)
+ jne process_softirqs
++
++ /* Inject exception if pending. */
++ lea VCPU_trap_bounce(%rbx), %rdx
++ testb $TBF_EXCEPTION, TRAPBOUNCE_flags(%rdx)
++ jnz .Lprocess_trapbounce
++
+ testb $1,VCPU_mce_pending(%rbx)
+ jnz process_mce
+ .Ltest_guest_nmi:
+@@ -298,6 +304,15 @@ process_softirqs:
+ jmp test_all_events
+
+ ALIGN
++/* %rbx: struct vcpu, %rdx struct trap_bounce */
++.Lprocess_trapbounce:
++ sti
++.Lbounce_exception:
++ call create_bounce_frame
++ movb $0, TRAPBOUNCE_flags(%rdx)
++ jmp test_all_events
++
++ ALIGN
+ /* %rbx: struct vcpu */
+ process_mce:
+ testb $1 << VCPU_TRAP_MCE,VCPU_async_exception_mask(%rbx)
+@@ -718,15 +733,9 @@ handle_exception_saved:
+ mov %r15, STACK_CPUINFO_FIELD(xen_cr3)(%r14)
+ testb $3,UREGS_cs(%rsp)
+ jz restore_all_xen
+- leaq VCPU_trap_bounce(%rbx),%rdx
+ movq VCPU_domain(%rbx),%rax
+ testb $1,DOMAIN_is_32bit_pv(%rax)
+- jnz compat_post_handle_exception
+- testb $TBF_EXCEPTION,TRAPBOUNCE_flags(%rdx)
+- jz test_all_events
+-.Lbounce_exception:
+- call create_bounce_frame
+- movb $0,TRAPBOUNCE_flags(%rdx)
++ jnz compat_test_all_events
+ jmp test_all_events
+
+ /* No special register assumptions. */
diff --git a/main/xen/xsa260-3.patch b/main/xen/xsa260-3.patch
new file mode 100644
index 0000000000..3aa06099d1
--- /dev/null
+++ b/main/xen/xsa260-3.patch
@@ -0,0 +1,138 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/traps: Use an Interrupt Stack Table for #DB
+
+PV guests can use architectural corner cases to cause #DB to be raised after
+transitioning into supervisor mode.
+
+Use an interrupt stack table for #DB to prevent the exception being taken with
+a guest controlled stack pointer.
+
+This is part of XSA-260 / CVE-2018-8897.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/cpu/common.c
++++ b/xen/arch/x86/cpu/common.c
+@@ -614,6 +614,7 @@ void __cpuinit load_system_tables(void)
+ tss->ist[IST_MCE - 1] = stack_top + IST_MCE * PAGE_SIZE;
+ tss->ist[IST_DF - 1] = stack_top + IST_DF * PAGE_SIZE;
+ tss->ist[IST_NMI - 1] = stack_top + IST_NMI * PAGE_SIZE;
++ tss->ist[IST_DB - 1] = stack_top + IST_DB * PAGE_SIZE;
+
+ _set_tssldt_desc(
+ gdt + TSS_ENTRY,
+@@ -634,6 +635,7 @@ void __cpuinit load_system_tables(void)
+ set_ist(&idt_tables[cpu][TRAP_double_fault], IST_DF);
+ set_ist(&idt_tables[cpu][TRAP_nmi], IST_NMI);
+ set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE);
++ set_ist(&idt_tables[cpu][TRAP_debug], IST_DB);
+ }
+
+ /*
+--- a/xen/arch/x86/hvm/svm/svm.c
++++ b/xen/arch/x86/hvm/svm/svm.c
+@@ -997,6 +997,7 @@ static void svm_ctxt_switch_from(struct
+ set_ist(&idt_tables[cpu][TRAP_double_fault], IST_DF);
+ set_ist(&idt_tables[cpu][TRAP_nmi], IST_NMI);
+ set_ist(&idt_tables[cpu][TRAP_machine_check], IST_MCE);
++ set_ist(&idt_tables[cpu][TRAP_debug], IST_DB);
+ }
+
+ static void svm_ctxt_switch_to(struct vcpu *v)
+@@ -1021,6 +1022,7 @@ static void svm_ctxt_switch_to(struct vc
+ set_ist(&idt_tables[cpu][TRAP_double_fault], IST_NONE);
+ set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE);
+ set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
++ set_ist(&idt_tables[cpu][TRAP_debug], IST_NONE);
+
+ svm_restore_dr(v);
+
+--- a/xen/arch/x86/smpboot.c
++++ b/xen/arch/x86/smpboot.c
+@@ -952,6 +952,7 @@ static int cpu_smpboot_alloc(unsigned in
+ set_ist(&idt_tables[cpu][TRAP_double_fault], IST_NONE);
+ set_ist(&idt_tables[cpu][TRAP_nmi], IST_NONE);
+ set_ist(&idt_tables[cpu][TRAP_machine_check], IST_NONE);
++ set_ist(&idt_tables[cpu][TRAP_debug], IST_NONE);
+
+ if ( setup_cpu_root_pgt(cpu) )
+ goto oom;
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -196,13 +196,13 @@ static void show_guest_stack(struct vcpu
+ /*
+ * Notes for get_stack_trace_bottom() and get_stack_dump_bottom()
+ *
+- * Stack pages 0, 1 and 2:
++ * Stack pages 0 - 3:
+ * These are all 1-page IST stacks. Each of these stacks have an exception
+ * frame and saved register state at the top. The interesting bound for a
+ * trace is the word adjacent to this, while the bound for a dump is the
+ * very top, including the exception frame.
+ *
+- * Stack pages 3, 4 and 5:
++ * Stack pages 4 and 5:
+ * None of these are particularly interesting. With MEMORY_GUARD, page 5 is
+ * explicitly not present, so attempting to dump or trace it is
+ * counterproductive. Without MEMORY_GUARD, it is possible for a call chain
+@@ -223,12 +223,12 @@ unsigned long get_stack_trace_bottom(uns
+ {
+ switch ( get_stack_page(sp) )
+ {
+- case 0 ... 2:
++ case 0 ... 3:
+ return ROUNDUP(sp, PAGE_SIZE) -
+ offsetof(struct cpu_user_regs, es) - sizeof(unsigned long);
+
+ #ifndef MEMORY_GUARD
+- case 3 ... 5:
++ case 4 ... 5:
+ #endif
+ case 6 ... 7:
+ return ROUNDUP(sp, STACK_SIZE) -
+@@ -243,11 +243,11 @@ unsigned long get_stack_dump_bottom(unsi
+ {
+ switch ( get_stack_page(sp) )
+ {
+- case 0 ... 2:
++ case 0 ... 3:
+ return ROUNDUP(sp, PAGE_SIZE) - sizeof(unsigned long);
+
+ #ifndef MEMORY_GUARD
+- case 3 ... 5:
++ case 4 ... 5:
+ #endif
+ case 6 ... 7:
+ return ROUNDUP(sp, STACK_SIZE) - sizeof(unsigned long);
+@@ -3847,6 +3847,7 @@ void __init init_idt_traps(void)
+ set_ist(&idt_table[TRAP_double_fault], IST_DF);
+ set_ist(&idt_table[TRAP_nmi], IST_NMI);
+ set_ist(&idt_table[TRAP_machine_check], IST_MCE);
++ set_ist(&idt_table[TRAP_debug], IST_DB);
+
+ /* CPU0 uses the master IDT. */
+ idt_tables[0] = idt_table;
+--- a/xen/arch/x86/x86_64/entry.S
++++ b/xen/arch/x86/x86_64/entry.S
+@@ -789,7 +789,7 @@ ENTRY(device_not_available)
+ ENTRY(debug)
+ pushq $0
+ movl $TRAP_debug,4(%rsp)
+- jmp handle_exception
++ jmp handle_ist_exception
+
+ ENTRY(int3)
+ pushq $0
+--- a/xen/include/asm-x86/processor.h
++++ b/xen/include/asm-x86/processor.h
+@@ -453,7 +453,8 @@ struct __packed __cacheline_aligned tss_
+ #define IST_DF 1UL
+ #define IST_NMI 2UL
+ #define IST_MCE 3UL
+-#define IST_MAX 3UL
++#define IST_DB 4UL
++#define IST_MAX 4UL
+
+ /* Set the interrupt stack table used by a particular interrupt
+ * descriptor table entry. */
diff --git a/main/xen/xsa260-4.patch b/main/xen/xsa260-4.patch
new file mode 100644
index 0000000000..5b2c4eccb1
--- /dev/null
+++ b/main/xen/xsa260-4.patch
@@ -0,0 +1,72 @@
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Subject: x86/traps: Fix handling of #DB exceptions in hypervisor context
+
+The WARN_ON() can be triggered by guest activities, and emits a full stack
+trace without rate limiting. Swap it out for a ratelimited printk with just
+enough information to work out what is going on.
+
+Not all #DB exceptions are traps, so blindly continuing is not a safe action
+to take. We don't let PV guests select these settings in the real %dr7 to
+begin with, but for added safety against unexpected situations, detect the
+fault cases and crash in an obvious manner.
+
+This is part of XSA-260 / CVE-2018-8897.
+
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+
+--- a/xen/arch/x86/traps.c
++++ b/xen/arch/x86/traps.c
+@@ -3714,16 +3714,44 @@ void do_debug(struct cpu_user_regs *regs
+ regs->eflags &= ~X86_EFLAGS_TF;
+ }
+ }
+- else
++
++ /*
++ * Check for fault conditions. General Detect, and instruction
++ * breakpoints are faults rather than traps, at which point attempting
++ * to ignore and continue will result in a livelock.
++ */
++ if ( dr6 & DR_GENERAL_DETECT )
++ {
++ printk(XENLOG_ERR "Hit General Detect in Xen context\n");
++ fatal_trap(regs);
++ }
++
++ if ( dr6 & (DR_TRAP3 | DR_TRAP2 | DR_TRAP1 | DR_TRAP0) )
+ {
+- /*
+- * We ignore watchpoints when they trigger within Xen. This may
+- * happen when a buffer is passed to us which previously had a
+- * watchpoint set on it. No need to bump EIP; the only faulting
+- * trap is an instruction breakpoint, which can't happen to us.
+- */
+- WARN_ON(!search_exception_table(regs->eip));
++ unsigned int bp, dr7 = read_debugreg(7) >> DR_CONTROL_SHIFT;
++
++ for ( bp = 0; bp < 4; ++bp )
++ {
++ if ( (dr6 & (1u << bp)) && /* Breakpoint triggered? */
++ ((dr7 & (3u << (bp * DR_CONTROL_SIZE))) == 0) /* Insn? */ )
++ {
++ printk(XENLOG_ERR
++ "Hit instruction breakpoint in Xen context\n");
++ fatal_trap(regs);
++ }
++ }
+ }
++
++ /*
++ * Whatever caused this #DB should be a trap. Note it and continue.
++ * Guests can trigger this in certain corner cases, so ensure the
++ * message is ratelimited.
++ */
++ gprintk(XENLOG_WARNING,
++ "Hit #DB in Xen context: %04x:%p [%ps], stk %04x:%p, dr6 %lx\n",
++ regs->cs, _p(regs->rip), _p(regs->rip),
++ regs->ss, _p(regs->rsp), dr6);
++
+ goto out;
+ }
+